Virus Detail

Description

Back to top

Method of Infection

When executed, Win32.ForBot.LM copies itself to the %System% directory as SPOOLCLL.EXE and creates a service, "Event Monitor", to run this copy at each Windows start.

Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

Back to top

Method of Distribution

Via Network Shares

Forbot.LM attempts to connect to default administrative shares, such as IPC$, admin$, C$, D$, E$ and print$, by guessing usernames and passwords that may have access to these shares. First it tries to discover usernames on the targeted system on which to try its dictionary attack, but if that fails it uses a long list of usernames that it carries with it

The following are some common user names that Forbot tries:
<blank>
a
aaa
abc
admin
administrador
Administrateur
administrator
Administratör
admins
asdf
bill
colin
computer
Convidado
Coordinatore
database
Default
Dell
dick
erik
Gast
george
Guest
home
Inviter
jim
kanri
kanri-sha
karl
kate
kt
login
mark
mary
mgmt
mike
mypc
mysql
OEM
Ospite
OWNER
patrick
pc
peter
qwer
root
server
sql
stacey
stacy
Standard
stefan
steve
steven
student
teacher
temp
Test
tim
tom
user
Verwalter
win
wwwadmin
x
xp
xyz

These are some passwords that Fobot may try to use:
!@#$
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*
0
00
000
0000
00000
000000
0000000
00000000
007
1
11
110
111
1111
11111
111111
1111111
11111111
12
121212
123
123123
1234
12345
123456
1234567
12345678
123456789
1234qwer
12369
123abc
123asd
123qwe
124
125
128
13
135
1357
13579
147
14789
156
159
1776
1778
2
2001
2002
2003
2004
2010
22
222
2222
22222
222222
2222222
22222222
23
24
246
2468
24680
2486
2525
258
2600
3
32147
33
333
3333
33333
333333
3333333
33333333
354
357
369
4
42
426
44
444
4444
44444
444444
4444444
44444444
456
486
5
54321
55
555
5555
55555
555555
5555555
55555555
6
654321
66
666
6666
66666
666666
6666666
66666666
69
7
74123
756
77
777
7777
77777
777777
7777777
77777777
7852
789
78963
8
842
862
87654321
88
888
8888
88888
888888
8888888
88888888
9
954
9852
99
999
9999
99999
999999
9999999
99999999
a
aaa
aaaa
aaaaaa
abc
abc123
abcd
abcd1234
abcde
abcdef
abcdefg
access
adm
Admin
admin123
administrador
Administrateur
administrator
admins
alpha
ami
amie
anon
anonymous
asdf
asdfg
asdfgh
asdfghjk
asdfghjkl
asdfjkl
askaban
ASP
athlon
azerty
azkaban
baby
backdoor
backup
bbbb
beer
beta
biere
bin
bière
bong
Box
buckbeak
carte
cauldron
cederom
changeme
CNN
coffee
computer
Coordinatore
copin
copine
crash
crew
cédérom
database
debug
Default
dementor
demo
devil
dope
drugs
dude
dumbledore
ecran
enable
ertyuiop
fanny
feds
fgh
fish
foobar
fool
freak
free
fucked
gay
go
god
godblessyou
gryffindor
guest
hagrid
harry
hax
hello
hermine
hermione
hfghfh
hogwarts
home
homework
idiot
ihavenopass
imprimeur
install
Internet
iraq
iuytrewq
jackdaniels
kids
kjhgfdsa
leet
linux
lkjhgfds
LOCAL
login
lol
love
madre
mail
manager
master
masters
merde
metal
mince
mnbvcxz
money
monitor
moonshine
mouse
mybaby
mybox
mypass
mypc
ne
network
new
newfie
newfy
newpass
nick
nobody
noob
nopass
oil
one
opteron
oracle
ordinateur
Ospite
own
owned
owner
pass
PASSWD
password
password123
pat
patrick
pc
penis
PHP
poiut
poiuytre
poiuytrewq
porn
potter
private
pub
public
pussy
pw
pwd
pwned
quidditch
qwaszx
qwer
qwert
qwerty
qwertyui
qwertyuiop
r00t
random
real
red123
remote
reseau
ROOT
rooted
ruler
school
sdfghjkl
secret
secrets
security
server
setup
sex
shadow
share
shit
souris
sql
student
super
superman
supersecret
switch
sybase
sys
SYSTEM
teacher
telnet
temp
Tennessee
test
test1
test123
test2
texas
tivoli
UNIX
user
username
vagina
Verwalter
visitor
washington
web
werty
west
wh0re
whiskey
whisky
whore
win
win2000
win2k
win95
win98
windows
windows2k
windows98
windowsME
WindowsXP
windoze
wmd
work
www
wwwadmin
x
xp
xxx
xxxx
xxyyzz
yxcv
z
zxcv
zxcvb
zxcvbnm
zzzz
écran

Note: It is important to use strong passwords, especially for accounts with administrator privileges.

If the worm successfully guesses a correct combination of username and password, it attempts to copy itself to the following locations on the targeted machine:
<Machine>\IPC$\msgfix.exe
<Machine>\D$\msgfix.exe
<Machine>\print$\msgfix.exe
<Machine>\c$\msgfix.exe
<Machine>\Admin$\msgfix.exe
<Machine>\c$\windows\system32\msgfix.exe
<Machine>\c$\winnt\system32\msgfix.exe
<Machine>\Admin$\system32\msgfix.exe

Forbot may scan for machines to infect via network shares by probing port 139.

Via Exploits

Win32.Forbot can also spread by exploiting vulnerabilities in Windows operating systems. This is a list of known vulnerabilities that Forbot.LM may exploit:

Microsoft Windows RPC malformed message buffer overflow vulnerability (TCP ports 445, 1025)
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=25454

Exploiting weak passwords on MS SQL servers, including the Microsoft SQL Server Desktop Engine blank 'sa' password vulnerability (port 1433)
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=5705

Microsoft Windows LSASS buffer overflow vulnerability (port 445)
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?id=27886

Microsoft WINS Remote Code Execution Exploit (port 42)
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?ID=31982 

Via MYSQL Weak Password Exploitation

Forbot may also attempt to exploit weak passwords on MYSQL servers via port 3306. The worm tries the following username and password combinations:

Usernames:
sa
admin 
root

Passwords:
0
00
000
0000
00000
000000
0000000
00000000
1
11
111
1111
11111
111111
1111111
11111111
123
1234
12345
123456
1234567
12345678
123456789
1234qwer
12369
123abc
123asd
123qwe
124
125
128
13
135
1357
13579
147
14789
156
159
2
2001
2010
22
222
2222
22222
222222
2222222
22222222
24
246
2468
24680
2486
258
3
32147
33
333
3333
33333
333333
3333333
33333333
354
357
369
4
426
44
444
4444
44444
444444
4444444
44444444
456
486
5
54321
55
555
5555
55555
555555
5555555
55555555
6
654321
66
666
6666
66666
666666
6666666
66666666
7
74123
756
77
777
7777
77777
777777
7777777
77777777
7852
789
78963
8
842
862
87654321
88
888
8888
88888
888888
8888888
88888888
9
954
9852
99
999
9999
99999
999999
9999999
99999999
sdfghjkl
secret
secure
security
server
setup
shadow
shit
sql
super
sybase
sys
system
a
aaa
aaaa
aaaaaa
abc
abc123
abcd
abcd1234
abcde
abcdef
abcdefg
access
adm
admin
alpha
anon
anonymous
asdf
asdfg
asdfgh
asdfghjk
asdfjkl
backdoor
backup
bbbb
beta
bin
coffee
computer
crew
database
debug
default
demo
ertyuiop
fgh
free
go
guest
hello
hfghfh
install
Internet
iuytrewq
kjhgfdsa
lkjhgfds
login
mail
manager
master
masters
mnbvcxz
money
monitor
ne
network
new
newpass
nick
nobody
nopass
one
oracle
pass
passwd
password
poiuytre
private
pub
public
qwaszx
qwert
qwerty
qwertyui
random
real
remote
ruler
telnet
temp
test
test1
test2
tivoli
user
username
visitor
web
win2000
win2k
win95
win98
windows
www
xxx
xxxx
zxcvb
zxcvbnm
zzzz

If successful,  the worm creates a table 'bla' in the mysql database. The executable is written into the table before the tables contents is written to the file 'app_result.dll'. Forbot creates a mysql function called 'app_result' which uses the 'app_result.dll' in order to execute itself on the infected machine. The worm removes the 'bla' table after the file is created.

Back to top

Payload

Backdoor Functionality

The main function of the trojans and worms in the Forbot family is to allow an attacker to issue commands to the Bot via IRC.  This allows the attacker to perform a host of actions on an affected machine, including, but not limited to, the following:

• Flood targeted systems (via ping, syn, udp - Denial of Service attacks)
• Run a socks4 proxy server 
• Port forwarding
• Obtain e-mail addresses from the WAB (Windows Address Book) of the infected computer
• Remove network shares ipc$, and admin$ in an attemp to stop other malware attacking the computer
• Port scanning
• Delete network shares
• Obtain CD keys for popular game titles, including:
      Battlefield 1942
      Battlefield 1942 Secret Weapons Of WWII
      Battlefield 1942 The Road To Rome
      Battlefield 1942 Vietnam
      Black and White
      Command and Conquer Generals
      Command and Conquer Generals Zero Hour
      Command and Conquer Red Alert2
      Command and Conquer Tiberian Sun
      Counter-Strike
      FIFA 2002
      FIFA 2003
      Freedom Force
      Global Operations
      Gunman Chronicles
      Half-Life
      Hidden and Dangerous 2
      IGI2 Covert Strike
      Industry Giant 2
      James Bond 007 Nightfire
      Medal of Honor Allied Assault
      Medal of Honor Allied Assault Breakthrough
      Medal of Honor Allied Assault Spearhead
      Nascar Racing 2002
      Nascar Racing 2003
      NHL 2002
      NHL 2003
      Need For Speed Hot Pursuit 2
      Need For Speed Underground
      Neverwinter Nights
      Ravenshield
      Shogun Total War Warlord Edition
      Soldiers Of Anarchy
      Soldier Of Fortune 2
      The Gladiators
      Unreal Tournament 2003
      Unreal Tournament 2004
      Call of Duty
• Download and execute arbitrary files via HTTP or direct connection
• Obtain information about an infected computer, such as the windows product key, System Info including CPU speed, Memory, OS, build version, system uptime, current User, etc
• Add / remove system services
• Logoff / reboot / shutdown the affected system
• Collect usernames from Yahoo Pager, .NET messenger and AOL Instant Messenger
• Start or stop an HTTP server on any specified port, which will make a selected directory avalible to the remote user
• Start or stop the FTP server which allows directory browsing and file uploads/downloads
• Terminate processes - including those belonging to many popular antivirus and other security related applications (see complete list below):

Analysis by Matt McCormack

Back to top